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(54) Strengthened public key protocol 

(57) A cryptosystem utilizes the properties of dis- 
crete logs in finite groups, either in a public key mes- 
sage exchange or in a key exchange and generation 
protocol. If the group selected has subgroups of rela- 
tively small order, the message may be exponentiated 
by a factor of the order of the group to place the mes- 
sage in a subgroup of relatively small order. To inhibit 
such substitution, the base or generator of the crypto- 



system is chosen to be a generator of a subgroup of 
prime order or a subgroup of an order having a number 
of relatively small divisors. The message may be expo- 
nentiated to each of the relatively small divisors and the 
result checked for the group identity. If the group identity 
is found, it indicates a vulnerability to substitution and is 
rejected. 



it 



>4 



3X3 



Message r 
(Plaintext) —H ««YPt 

A 

Sender 




7 

ID 



communication channel 



U.J I Ciphertaxt 



■H 



KEY 



decrypt 



h» Message! 



2D 



~ — - 1 

\ - / 

' US { 



< 

CO 

I s - 
o 
Q. 

LLI 



Printed by flank Xerox (UK) Business Services 
2 138/34 



1 



EP0743 774A2 



2 



Description 

The present invention relates to public key cryptog- 
raphy. 

It is well known that data can be encrypted by utilis- s 
ing a pair of keys, one of which is public and one of 
which is private. The keys are mathematically related 
such that data encrypted by the public key may only be 
decrypted by the private key. In this way. the public key 
of a recipient may be made available so that data 10 
intended for that recipient may be encrypted with the 
public key and only decrypted by the recipients private 
key. 

One well-known and accepted public key crypto- 
system is that based upon discrete logarithms in finite is 
groups. Different finite groups maybe used, for example 
the multiplicative group 2^ of integers mod p where p is 
a prime; the multiplicative group of an arbitrary finite 
field e.g. GF2 n or an elliptic curve group over a finite 
field. 20 

The discrete log problem used in such cryptosys- 
tems is based on the difficulty of determining the value 
of an integer x from the value of a x , even where a is 
known. More particularly, if a is an element of G (which 
is considered to be written multiplicatively) and p is a 25 
second element of G, then the discrete logarithm prob- 
lem in G is that of determining whether there exists an 
integer x such that p = a x , and if so, of determining 
such a value x. 

The Diffie-Hellman key exchange protocol is widely 30 
accepted and there are numerous examples of imple- 
mentations of the Diffie-Hellman protocol in use around 
the world. 

The Diffie-Hellman key agreement protocol is typi- 
cally stated as follows using as an example the finite 35 
group Z*: 

SETUP 

The protocol requires a base a that generates a 40 
large number of elements of the selected group G and a 
pair of integers x,y that are retained confidential by 
respective correspondents A,B. Select a prime'number 
p and let a be a generator of the multiplicative group 
Z p , i.e. the group of integers modulo p. 45 

THE PROTOCOL 

1. Correspondent A generates a random integer x, 
computes a x and sends this to correspondent B. so 

2. Correspondent B generates a random integer y, 
computes a y and sends this to correspondent A. 

3. A computes (a y ) * = a xy . 

4. B computes (a x ) y = a xy . 

55 

A and B now share the common key a xy which may 
be used as a secret key in a conventional cryptosystem. 
A similar protocol may be used in a public key system, 
generally referred to as an E1-Gamal protocol in which 



each correspondent has a secret key x and a public key 
a x . 

The security of these protocols seems to rest on the 
intractability of the discrete logarithm problem in the 
finite group G. It should also be noted that the protocol 
carries over to any finite group. 

The applicants have now recognized that unless 
the generator a and the group G are selected carefully 
then the exchange of information may be weak and pro- 
vide almost no security. 

To explain the potential problem, consider the cryp- 
tosystem described above using the* group Zp. The 
modulus p is public information that defines the crypto- 
system and can be expressed as t.Q+1 with t*2 and t 
relatively small. This is always possible since p is odd 
for large primes (i.e. t could be 2). . 

Let S be a subgroup of Zp of order t (i.e. it has t 
elements, each of which is element of Zp ) and let y be 
a base for S, i.e. each element of S can be expressed as 
an integral power of y and raising y to an integral power 
produces an element that is itself in the subgroup S. If a 
is a generator for Z p , then we can take y = a Q without 
loss of generality. 

ff E is an active adversary in the key exchange pro- 
tocol between two parties A and B then the attack pro- 
ceeds as follows: 

1. E intercepts the message a x sent by A and 
replaces it by (a x ) Q = y x and sends it on to entity 
B. 

2. E intercepts the message a y sent by B and 
replaces it by (a y ) Q = y y and sends it on to entity 
B. 

3. A computes (y y ) x = y xy . 

4. B computes (y x ) y = y^ . 

5. Although E does not know the key y** E knows 
that the common key y*Y lies in the subgroup S of 
order t as y is a generator of S. By definition y 3 ^ 
must produce ah element in the subgroup S. Since 
S is of order t it has precisely t elements. If t is small 

. enough then E can exhaustively check ail possibili- 
ties and deduce the key. 

Since E selects Q, t can always be taken to be 2 
and so the threat is practical. 

A similar attack may be mounted with cryptosys- 
tems using groups other than Z p which will be vulnera- 
ble if the element selected as a base or generator 
generates a subgroup which itself has a small subgroup 
of order t. 

It is therefore an object of the present invention to 
provide a method for checking if modification of mes- 
sages has occurred or in the alternative some method 
to prevent the attack from being mounted. 

In general terms, the present invention is based 
upon utilization of predefined characteristics of the 
order of the subgroup. 

In one aspect, the base of the cryptosystem is cho- 
sen to be a generator of a subgroup of a relatively large 
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prime order. Substitution of any other non-unit genera- 
tor is of no advantage to an attacker since it does not 
produce an element in a smaller subgroup that can be 
exhaustively searched. 

in another aspect factors of the order of the group 5 
generated by the base are used to ensure that the key 
does not lie in or has not been modified to Be in a proper 
subgroup of relatively small order, i.e. one that may fea- 
sibly be exhaustively searched by ah interloper. 

Embodiments of the invention will now be 10 
described by way of example only with reference to the 
accompanying drawings, in which 

Figure 1 is a schematic representation of a data 
communication system. 15 

Referring therefore to Figure 1, a pair of corre- 
spondents, 10,12, denoted as correspondent A and cor- 
respondent B, exchange information over a 
communication channel 1 4. A cryptographic unit 16,18, 20 
is interposed between each of the correspondents 
10,12 and the channel 14. A key 20 is associated with 
each of the cryptographic units 16,18 to convert plain 
text carried between each unit 16,18 and its respective 
correspondent 10,12 into ciphertext carried on the 25 
channel 14. 

In operation, a message generated by correspond- 
ent A, 1 0, is encrypted by the unit 1 6 with the key 20 and 
transmitted as ciphertext over channel 14 to the unit 18. 

The key 20 operates upon the ciphertext in the unit 30 
18 to generate a plaintext message for the correspond- 
ent B, 12. Provided the keys 20 correspond, the mes- 
sage received by the correspondent 12 will be that sent 
by the correspondent 10. 

In order for the system shown in Figure 1 to operate 35 
it is necessary for the keys 20 to be identical and there- 
fore a key agreement protocol is established that allows 
the transfer of information in a public manner to estab- 
lish the identical keys. A number of protocols are availa- 
ble for such key generation and most are variants of the 40 
Diffie-Hellman key exchange. Their purpose is for par- 
ties A and B to establish a secret session key K. 

The system parameters for these protocols are a 
multiplicative group G and a generator a in the group G. 
Both G and a are known. Correspondent A has private 45 
key x and public key p A = a*. Correspondent B has 
private key y and public key p B = a y . Correspondent A 
and B exchange respective public keys and exponenti- 
ate with their private keys to obtain a common session 
key a xy . 50 

As noted above, the key exchange and therefore 
the ciphertext, is vulnerable if interloper E intercepts the 
transmission of a x and a y and raises each to the power 
Q. 

In a first embodiment, the attack is foiled by defining 55 
the system parameters appropriately so that no advan- 
tage is provided to the interloper by performing a substi- 
tution. Moreover, the base or generator of the 



cryptosystem is selected so that tampering with the key 
exchange between A and B can be detected. 

By way of example, for a public key system using 
the group 2 P , initially a subgroup S of Zp is selected 
which has a prime order. The subgroup S of prime order 
q will only have subgroups of order 1 or the prime q 
itself. For example, if p is chosen as 139 then 

contains subgroups of order 1,2,3,6.23,46,69 and 138. 
Of these, the subgroups of order 2,3 and 23 are of prime 

order. 

Accordingly, if the base used in the public key sys- 
tem is chosen to be a generator 7 of a subgroup S of Z p 
of prime order q rather than a generator x of Zp itself, 
an attempt by the interloper to substitute a smaller sub- 
group may be readily detected. 

For example, 34 is a generator of the subgroup of 
order 23 in 



Therefore the base is chosen to be 34 for key exchange 
and generation. 

The selection of the subgroup S of prime order q 
restricts the interloper E to an exponent of either 1 or the 
prime q. i.e. 23 in the example given. If the exponent is 
chosen to be the order q of the subgroup S then the 
message produced from the generator of the subgroup 
exponentiated to q will be the identity element i.e. 1 in 
the example given. Therefore one or both correspond- 
ents may check the message and if it corresponds to the 
identity element it is rejected. 

Selection by the interloper E of the exponent to be 
1 will of course not be of use as the discrete log problem 
will still be intractable and provided the order of the sub- 
group is sufficiently large a brute force approach is 
impractical. 

It will of course be understood that the example 
given of p = 139 is for illustrative purposes only and that 
in practical implementations the prime p will be of the 
order of 10 150 and the order of the subgroup will typi- 
cally exceed 1 0 40 

In a second embodiment, the order of the subgroup 
need not be prime and the attack is foiled by monitoring 
the received message. The order of the subgroup may 
therefore have a number of small divisors, t 1( t 2 which 
are sufficiently small to render the exchange vulnerable. . 
To foil such a substitution, at least one of the corre- 
spondents A,B takes the message received from the 
other correspondent, i.e. a x for B or a y for A and raises 
the message to the power t for each small divisor of (p- 
1). If the result is 1 it indicates that a new value of the 
message may have been substituted, as (a x ) Qt mod 
(p-1) will always be 1 . The fact that the result is 1 is not 
determinative that a substitution has been made but the 
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probability that (a x ) 1 = 1 for large values of p is small. 
The key exchange can be terminated if the result is 1 
and a new key exchange initiated. If with different values 
of private keys x and y successive key exchanges yield 
a result of 1 when tested above, then it is assumed that 5 
an interloper is actively monitoring the data exchange 
and further communication is terminated. 

The determination of the value a* may be made by 
exponentiation of the message a x with the possible val- 
ues of t by an exhaustive search. Alternatively, given the w 
order of the subgroup, values of the message that yield 
the group identity can be tabulated and a simple com- 
parison made to determine if the message is vulnerable. 

As a third embodiment, the value of p is selected to 
be of the form 2q+1 where q is itself a prime. The only 15 
subgroups of Z p have orders 1 t 2,q and 2q. The gener- 
ator of the subgroup of order q is selected for the key 
exchange so that f can only be 1 or q. If the subgroup 
of order 1 is selected then the message (a x ) Q will be the 
identity element, ag. 1 . and this can readily be checked. 20 
q will be selected to be relatively large to render an 
attack on the discreet log problem unfeasible. 

The above techniques provide a clear indication of 
an attempt by an interloper to substitute a subgroup and 
a foil that is readily implemented by a careful selection 25 
of the generator and a check for the identity element. 

The above examples have utilized the group Zp but 
other groups may be used as noted above, for example, 
an elliptic curve group over a finite field. In the case of 
an elliptic curve over the field F p elements where p is a 30 
prime power, there is an elliptic curve group G for each 
integral order lying between p+1-2Vp and p+1+2Vp. 
With high probability/there is a prime q lying in this inter- 
val and by selecting this elliptic curve group, G q , of order 
q for use in the cryptosystem, the group Gq will only 35 
have subgroups of order 1 and the prime q itself. 
Accordingly, selection of the group Qq will avoid substi- 
tution of subgroups of relatively small order and any 
attempt at substitution will not yield any benefits to the 
interloper. 40 

A particularly convenient finite field is the field F 2 m 
which may be used for the generation of elliptic curve 
groups. ' 

As an alternative approach to the selection of a 
group of prime order, the order of the elliptic curve may 45 
be chosen of order n, where n is not a prime and mes- 
sages are monitored by at least one of the correspond- 
ents. The integrity of the message is verified by raising 
the message to the power d for each small divisor d of . 
the order a In this case, if the result is the group identity so 
typically O, then it is assumed that a substitution has 
been made and the transmission is terminated. 

Again, therefore, a group is selected that is either of 
prime order to inhibit substitution or a group is chosen to 
have an order with small divisors. In each case, substi- 55 
tution can be checked by monitoring the message by at 
least one of the correspondents. 



Similar considerations will apply in other groups 
and careful selection of the order of the groups utilized 
will provide the benefits described above. 

An alternative attack that may be utilized is for the 
interloper E to substitute a new message "e" for that 
transmitted from A to B and vice versa. 

The new message e is chosen to be an element of 
a subgroup S of the group G of low order, i.e. a relatively 
small number of elements. When B receives the mes- 
sage e he exponentiates it with his secret key y to gen- 
erate the session key. Similarly, when A receives the 
message e he exponentiates it with the secret key x to 
generate the session key. 

Exponentiation of an element of a subgroup will 
produce an element within that group so that the ses- 
sion keys generated by A and B lie in the subgroup S. If 
S is of relatively low order, there is a reasonable chance 
that the keys generated by A and B will be identical. In 
that case a message encrypted with the session key 
may be intercepted and the small number of possibili- 
ties that exist for the key can be tried by E. 

If the keys are not identical then the failure will be 
attributed to system errors and a new attempt will be 
made to establish a key. This provides E with a further 
opportunity to substitute a different element of the sub- 
field S in the transmission with a real probability that a 
correspondence will be established. Because of the rel- 
atively small number of possible elements, the possibil- 
ities may be exhausted and a correspondence made 
within the normal operating parameters of the system. 

To overcome this possibility, the order of the group 
is selected to have factors that are either large primes or 
provide trivial solutions that disclose themselves upon 
simple examination. In the case of the group Zp , a suit- 
able form is for the value of the modulus p to be of the 
form 2qq'+1 where q and q' are both large primes. The 
subgroups S of Zp will be of order 2, q or q\ Adopting 
a subgroup of order 2 will provide only two possible ele- 
ments which can readily be checked and, if present as 
the session key, the session can be terminated. 

The values of q and q* will not be readily ascer- 
tained due to the difficulty of factoring the products of 
large primes. 

Even if an exhaustive attack on the subgroup of 
order q or q' is viable for E, such an attack will reveal 
itself by a large number of repeated attempts at estab- 
lishing communication. Accordingly, an upper limit may 
be established after which communication will be termi- 
nated. The appropriate number of attempts will be 
based on the factors of p-1 and the nature of the com- 
munication system. 

Again, therefore, the attacks by E can be resisted 
by checking for values of the session key that are indic- 
ative of the vulnerability of the session and by appropri- 
ate selection of the order of the group. It will be 
recognised that selection of the modulus of the form 
2q+1 as exemplified in the third embodiment above pro- 
vides the requisite robustnesss for resisting a substitu- 
tion attack by E. 
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These techniques are also effective to prevent inter- 7. A method according to claim 1 wherein said group 
leper E from taking a known public key a a , raising it to is a multiplicative group of a finite field 
an appropriate power such that a aQ is in a small sub- 
group. The interloper can then determine aQ, and use . e. A method according to claim 1 wherein said group 
this as his private key. There are situations where the 5 is an elliptical curve group G over a finite field, 
interloper can use this to impersonate correspondent A 

and also convince a certifying authority to certify the 9. A method according to claim 1 wherein said group 

public key a aQ since the interloper E can prove he j s over a finite field F 2 m . 
knows aQ. 

In the above examples, the checking for elements 10 10. A method according to claim 9 wherein said group 

lying in subgroups of relatively small order has been is an elliptic curve group: 
performed by exponentiating the message to the power 

of the small divisors of the order of the group. An after- 11. A method according to claim 6 wherein said modu- 

native method which will indicate whether or not the lus p is of the form 2q+1 and q is a prime, 

message lies in a proper subgroup, without necessarily is 

identifying the order of the subgroup, is to exponentiate 12. A method according to claim 6 wherein said modu- 

the message to the order n l p where n is the order of the lus p is of the form nqq'+1 and q and q* are relatively 

group G and p ranges over all prima divisors of n. If the large primes, 
result is the group identity (1 in the case of 2 p ) then it 

indicates that the message does lie in a subgroup. 20 13. A method accorcfing to claim t wherein said mes- 

Depending upon the strategy used to determine the sage is a component of a session key a** where y 

order of the group G, it is possible either to reject the is an integer selected by said one correspondent, 
message or to test further to determine the order of the 

subgroup. 14. A method of establishing a session key of the form 

25 a** for encryption of data between a pair of corre- 

Claims spondents having respective private keys x and y 

comprising the steps of selecting a finite field Fp, 

1 . A method of determining the integrity of a message establishing a subgroup S of the field Fp having an 
exchanged between a pair of correspondents, said order q, determining an element a of the subgroup 
message being secured by embodying said mes- 30 S to generate a relatively large number of the q ele- 
sage in a function of a x where a is an element of a ments of the subgroup S and utilising said element 
finite group S of order q, said method comprising a to generate a session key at each corespondent 
the steps of at least one of the correspondents of the form a** where x is an integer selected by 
receiving public information a* where x is an integer one of said correspondents and y is an integer 
selected by another of said correspondents, deter- 35 selected by another of said correspondents, 
mining whether said public information a x when 

exponentiated to a value t where t is a divisor of q 1 5. A method according to claim 6 wherein said order q 

provides a resultant value ct** corresponding to the of said subgroup S is a prime, 
group identity and rejecting messages utilizing said 

public information if said resultant value corre- 40 16. A method according to claim 14 including the step 

sponds to said group identity. of receiving at one of said correspondents a mes- 
sage a x , exponentiating said message a* to a value 

2. A method according to claim 1 wherein a plurality of t where t is a divisor of the order of the subgroup, 
values of t are utilized and each resultant value comparing a resultant value a* 1 to the group identity 
compared to the group identity. 45 and preventing establishment of said session key if 

said value corresponds to the group identity 

3. A method according to claim 1 wherein said order q 

is a prime number. 1 7. A method according to claim 1 4 wherein said order 

of said subgroup is of the form nqq'+T where n, q 

4. A method according to claim 1 wherein said group so and q' are each integers. 
S is a subgroup of a group G of order n. 

1 8. A method according to claim 1 7 wherein the values 

5. A method according to claim 4 wherein q is a prime q and q* are each prime numbers, 
number. 

55 19. A method according to claim 18 wherein n has a 

6. A method according to claim 1 wherein said group value of 2. 
is a multiplicative group Zp of integers mod p 

where p is a prime. 20. A method according to claim 14 wherein said sub- 
group is selected to have an order that is to be a 
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function of the product of a pair of primes q.q' and 
said element a is a generator of a subgroup of an 
order of one of said primes q,q\ 
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